Rancher 2.8.15 设置 Skip TLS Verifications 未生效解决方法

发表于 分类于

问题

使用 Rancher v2.18.15-ent 创建了 v1.26.15+rke2r1 集群,并使用私有镜像仓库,由于遇到了 CA Cert Bundle 格式的问题,所以打算使用 Skip TLS Verifications 跳过证书校验,但是拉镜像的时候还是报证书错误。

排查过程

查看registries.yaml文件,有对应 insecure_skip_verify 配置。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# cat /etc/rancher/rke2/registries.yaml | jq .
{
  "configs": {
    "harbor.zerchin.top": {
      "auth": null,
      "tls": {
        "ca_file": "",
        "cert_file": "",
        "key_file": "",
        "insecure_skip_verify": true
      }
    }
  },
  "mirrors": null
}

查看hosts.toml 文件,也看到 skip_verify 已经配置上去了。

1
2
3
4
5
6
# cat /var/lib/rancher/rke2/agent/etc/containerd/certs.d/harbor.zerchin.top/hosts.toml # File generated by rke2. DO NOT EDIT.

server = "https://harbor.zerchin.top/v2"
capabilities = ["pull", "resolve", "push"]

skip_verify = true

拉取镜像报错如下错误:

1
Failed to pull image "harbor.zerchin.top/zerchin/network:latest": rpc error: code = Unknown desc = failed to pull and unpack image "harbor.zerchin.top/zerchin/network:latest": failed to resolve reference "harbor.zerchin.top/zerchin/network:latest": failed to do request: Head "https://harbor.zerchin.top/v2/zerchin/network/manifests/latest": tls: failed to verify certificate: x509: certificate signed by unknown authority

检查 containerd 的日志可以看到,缺少了 host 配置:

1
time="2025-06-17T12:22:38.249320368+08:00" level=error msg="failed to decode hosts.toml" error="invalid `host` tree"

定位问题

参考此 issue 可以得知,rke2 在转换 containerd 配置过程中,缺少了 host 参数,导致 skip_verify 不生效。

该问题在 v1.27.13+rke2r1 、v1.28.9+rke2r1、v1.29.4+rke2r1 以及之后的版本进行修复。

问题解决

升级到对应版本解决。如果无法升级,可以参考此方法。

在配置过程中,添加 Mirrors,同时给 Endpoints 设置端口,参考如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# cat /etc/rancher/rke2/registries.yaml | jq .
{
  "configs": {
    "harbor.zerchin.top:443": {
      "auth": null,
      "tls": {
        "ca_file": "",
        "cert_file": "",
        "key_file": "",
        "insecure_skip_verify": true
      }
    }
  },
  "mirrors": {
    "harbor.zerchin.top": {
      "endpoint": [
        "https://harbor.zerchin.top:443"
      ]
    }
  }
}



# cat etc/containerd/certs.d/harbor.zerchin.top/hosts.toml 
# File generated by rke2. DO NOT EDIT.

server = "https://harbor.zerchin.top/v2"
capabilities = ["pull", "resolve", "push"]



[host."https://harbor.zerchin.top:443/v2"]
  capabilities = ["pull", "resolve"]
  skip_verify = true